The next generation of hacker hunting will happen in real time

Norse Corp IP Viking

The phone rings. Through sleep-blurred eyes, you see that the alarm clock reads 2:37 a.m. Grasping, you reach the noisy thing on the dark bedside table. An 800-number glows on the screen. You answer, confused and appropriately peeved.

“Uh, hello?” you say.

“Hello, this is AT&T calling. We are sorry to bother you at this hour, sir, but our system shows that your computer is currently being used in a cyber attack on the Internal Revenue Service. We are informing you that your home will be disconnected from the Internet entirely until the issue has been resolved. Thank you. Goodbye.”

We may all be getting calls similar to this one in the near future thanks to a cybersecurity company called Norse Corporation, which has created a new way to combat cyber attacks: It’s called IP Viking, the world’s first cyber risk intelligence system that is able to monitor cyber attacks as they happen, in real time, anywhere on the planet – and then stop them within minutes.

How IP Viking works

At the heart of IP Viking lies thousands of monitoring “agents” that collect live Internet traffic data – about 19 terabytes of it each day.

“Our agent system is distributed worldwide. We have thousands of Internet points. We actually have infrastructure on every single … Internet exchange point in the country,” said Tommy Stiansen, Norse’s chief technology officer, during a phone interview. “We basically try to see as much of the dark side of the Internet as we possibly can.”

This “dark side of the Internet” includes everything from general Web traffic, to peer-to-peer networks, to IRC networks, to TOR.

IP Viking

It is through its agents that Norse is able to keep a keen eye on what’s happening around the Net. Among these agents are thousands of “honeypots,” traps set by Norse in an attempt to lure in hackers or, more frequently, automated tools that attack computer networks, and build botnets, which harness the power of otherwise innocent computers – like the one you’re on right now – to do various forms of digital dirty work. These honeypots include everything from servers to SEO-targeted links for hacking-related content.

“We have a very large honeypot, where we have, at any given time, over 5 million emulations towards the Internet,” said Stiansen. “Meaning we emulate over 5 million users, severs, infrastructures on the Internet. We mimic a bank. We put in place honeypots to mimic Microsoft Exchange servers, Linux systems, ATMs. We try to mimic as much as we can of the infrastructure online to make it look attractive to be attacked.”

It is through these honeypots, or “mousetraps,” that Norse is able to dupe hackers or malicious computer tools into revealing information about themselves, like IP addresses, which Norse can then use to keep track of their activities. Once IP Viking has pinpointed some “unethical traffic,” as Stiansen calls it, the system is able to see which systems are being attacked or have been hit with malware that recruits these systems into botnets, which are then used to carry out other attacks.

During an hour-long live demo of IP Viking, I witnesses real-time attacks on, or originating from, the systems of some of the biggest entities in the United States, including Microsoft and Cisco, banks, libraries, universities, and even the U.S. Department of Defense.

The video above is a “heat map” representation of the data collected by IP Viking. While watching, keep in mind that these are real cyber attacks, not simulations. The red dots represent cyber attacks. The yellow dots are Norse’s honeypots. The streaming text field below shows city, country, and exact coordinates of where an attack is originating from, as well as which Norse system is being attacked, and the IP address(es) of the attacker. Stiansen says that the name of the hacker organization that is carrying out an attack will also be included soon.

What IP Viking means for you

This information, along with some 1,500 other factors, are then used to assign each IP address collected by IP Viking with what Norse calls an “IPQ,” a zero-to-100 rating system that denotes the threat levels of individual IP addresses. The factors include things like the “context of the interaction we had with the IP address,” says Stiansen, who owns the IP address, geographical location, how often an IP address is used, and many more. Companies who purchase Norse’s products will then be able to gauge the threat level of each and every IP address that attempts to connect to their systems. This, in turn, means that if your IP address scores a high IPQ, you might be denied access to a website or online service armed with IP Viking.

In addition to alerting companies to real-time cyber attacks, Norse’s system will also allow Internet service providers or other Norse clients to alert individuals when their computers have been wrapped into a botnet, or are otherwise part of a cyber attack. (Thus, the phone call from AT&T.) This is especially important, says Norse marketing director Beau Roberts, because a large number of innocent Web users, small businesses, and larger corporations are ignorantly helping hackers carry out massive cyber attacks.

“There’s a significant percent of users of the Internet today that are part of a botnet but don’t know it,” says Roberts. “And we intend on helping bring that number way down.”

While IP Viking only launched a few weeks ago, Roberts says they plan to use the cyber attack data gathered through the system to recruit new clients. Norse also plans to partner with other cybersecurity companies to help further bolster the Internet’s defenses. And even bloggers will soon be able to get in on the live cyber attack fun with a WordPress plugin that’s due to launch in the coming weeks.

Lead image via Konstantin Yolshin/Shutterstock

Correction: The original version of this article incorrectly stated that a low IPQ score could prevent access to websites.